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Abstract. In this paper, we present a heuristic algorithm that computes 
the ideal class group and a generator of a principal ideal (PIP) in Q(Cp s ) 
in time 2 °^ /2+ ^ for n := deg(Q(<(ps)) and arbitrarily small e > 0. 
We introduce practical improvements to enhance its run time, and we 
describe a variant that can compute a generator of a principal ideal I 
with A f(I) < 2 " in time 2 0 ( n + ' ) given a precomputation of the 
class group taking time 2 (n ' for an arbitrarily small e > 0 where 
b < 7 a — 2 and | < a < In particular, this precomputation allows us to 
solve these instances of the PIP in with a run time lower than 2 0 *- 71 1 K 

Relying on recent work from Cramer et al. [CDPR16| . this yields an at¬ 
tack on all the cryptographic schemes relying on the hardness of finding 
a short generator of a principal ideal of Q(Cp s ) such as the homomorphic 
encryption scheme of Vercauteren and Smart ISV10I , and the multilinear 
maps of Garg, Gentry and Halevi |GGH13| . This attack (with and with¬ 
out precomputation) is asymptotically faster than the one relying on the 
work of Biasse and Fieker IBia blBF14| which runs in time 2 0(jl ^ for 

arbitrarily small e > 0 . 

Moreover, combined with the recent heuristic reduction of 7 -SVP to 
the PIP under reasonable assumptions on the class group of Cramer, 
Ducas and Wesolowski ICDW16 . our algorithm solves 7 -SVP in Q(Cp s ) 
for 7 € on input ideals I satisfying A f(I) < 2 n in heuristic time 

2 °(" 1 ') given a precomputation of the class group of Q(£ p ») taking 

#7 / 2 — 3gl—|”£\ 

time 2 (n ' for an arbitrarily small e > 0. When b < 7a — 2 and 
| < a < we can leverage the precomputation to achieve a better 
asymptotic run time than the BKZ algorithm. 

In particular, the public keys of the multilinear maps of Garg, Gentry 
and Halevi [ GGH13 satisfy our requirement on the input ideal with 
b = l+o(l), and given a precomputation of time 2 0( - n 1 + - 1 for arbitrarily 
small e > 0 on Q(Cp s )i our algorithm provides a key recovery attack in 
time 2 °(" 3/7+o(1) ) 














1 Introduction 


Given an ideal a of the maximal order Ok of I\ = Q(C 2 a )> we want to decide 
if a is principal, and if so, compute a £ Ok such that a = ( o)Ok ■ This corre¬ 
sponds to the Principal Ideal Problem (PIP), which is a fundamental problem 
in computational number theory. The resolution of the PIP in classes of number 
fields of large degree recently received a growing attention due to its connec¬ 
tion with cryptosystems based on the hardness of finding short generators of 
principal ideals such as the homomorphic encryption scheme of Vercauteren and 
Smart [SVIOj , and the multilinear maps of Garg, Gentry and Halevi [ GGH13 J. 

A generator of a principal ideal of the maximal order Ok of I\ = Q(Cp a ) can 
be found in heuristic subexponential time L A ( 2/3 + e, c) for some c > 0 where 

L A (a,b) = e ( b +°( 1 ))( 1 ‘ 1 l^l) a (inin|4) 1 -‘ 1 

by using an algorithm of Biasse and Fieker (BiablBF14j . We can also find one in 
quantum polynomial time with an algorithm of Biasse and Song |BS16| which 
relies on the hidden subgroup resolution algorithm for R 0 ( A) of Eisentrager, 
Hallgren, Kitaev and Song (EHKS14( . To go from an arbitrary generator a to 
a small one, we need to multiply a by the right unit. This is an instance of the 
Bounded Distance Decoding problem in the lattice of the logarithms of the com¬ 
plex embeddings of the elements of K. Campbel, Groves and Shepherd (CGS 1 ) 
observed that using an LLL reduction of the basis of this lattice consisting of the 
so-called cyclotomic units [i Was82l Chap. 8 ] and performing a simple round-off 
reduction yielded the solution to the problem. This fact was corroborated by 
Schank in a replication study ISchl . Shortly thereafter, Cramer, Ducas, Peikert 
and Regev (CDPR16 ] proved that this fact was due to the intrinsic geometric 
properties of the cyclotomic units and that the LLL reduction was not neces¬ 
sary. The draft of Campbel et al. also contained elements on ongoing work on a 
quantum algorithm for solving the PIP which was interrupted when they con¬ 
jectured that the methods of Eisentrager et al. [EHKS14] would ultimately yield 
a quantum polynomial time algorithm for solving the PIP. 

These recent developments raised the question of the hardness of the Shortest 
Vector Problem (SVP) in ideal lattices (and principal ideal lattices in particular). 
According to Cramer et al. (CDPR16) Sec. 6 ], a short generator of a principal 
ideal in a cyclotomic ring is at least within a factor e° ( - v/ ™) of a shortest element. 
To the best of our knowledge, there is currently no method that can leverage 
the knowledge of a short generator to derive an element with length within a 
better approximation factor to the first minima. However, a short generator of a 
principal ideal is also a solution to 7 -SVP for 7 £ _ In addition, Cramer, 

Ducas and Wesolowski jCDWlfi] showed that given an ideal I in a cyclotomic ring 
and under reasonable assumptions on the ideal class group, there is a heuristic 
method relying on the Discrete Logarithm Problem (DLP) in Cl {Ok) to find 
an ideal J C Ok with A f(J) £ e°^ n such that IJ is principal. Then a short 
generator of the principal ideal IJ C I yields a solution to 7 -SVP in I for 

-y £ e O(Vn)' 


























Contributions We describe an attack running in heuristic complexity 2 °( nl/2+e ) 
for arbitrarily small e > 0 against cryptographic schemes relying on the hardness 
of finding a short generator of an ideal in Q(Cp s ); including the homomorphic 
encryption scheme of Smart and Vercauteren |SV10| . and the multilinear maps 
of Garg, Gentry and Halevi |GGH13| . We rely on a different ideal class group 
computation and PIP algorithms than the subsexponential methods of Biasse 
and Fieker |BF14| which run in time 2°( n /3+e ) for arbitrarily small e > 0. We 
take advantage of the small height of the defining polynomial of fields of the 
form Q(Cp a ), and we use a modified q-descent method to solve the PIP. 

We also describe practical improvements to our algorithm for computing the 
ideal class group and solving the PIP that do not improve the theoretical com¬ 
plexity, but that have a significant impact on the performances of our methods. 

Finally, we present a PIP resolution method that leverages a precomputation 
on Q(C P s ) of a higher cost than 2°( nl/2+e \ Using this precomputation, we achieve 
a better heuristic complexity than 2°( nl/2 ) when solving all subsequent PIP 
instances for which A f(I) < 2 n in Q(£ p »)- More specifically, by spending a 
precomputation time in 2°fo 2 3 ° +e ) for an arbitrarily small e > 0, we can solve 
the PIP on input ideals I with Af(I) < 2 " 6 in time 2°(" 1 ') when 

1. b<7a-2. 

2 . l<a<\. 

Combined with the recent heuristic reduction from 7 -SVP to the short PIP of 
Cramer et al. [CDW16] (under the same assumptions on the class group), this 
yields a heuristic algorithm for 7 -SVP in ideals / of Q(Cp s ) satisfying Af (I) < 2 n 
with precomputation on Q(£ p <>) for 7 £ with a better trade-off approxi¬ 

mation/cost than BKZ. For example: 

— With a precomputation of cost 2°( ra5/7+e ) on Q(£ p s), the instances of 7 - 
SVP in ideals I of Q(Cp») satisfying Af(I) < 2 n+o( ' 1 ' > can be solve in time 

2 0(n 3 '' 7+0 < 1 >) 

— Given a 2°fo 5/ + - 1 precomputation, the private keys of the multilinear maps 
of Garg, Gentry and Halevi [GGH13 ] can be retrieved in time 2 °( n3/7+ ° (1) ) 
from the corresponding public keys. 


2 Background 

Lattices A lattice is a discrete additive subgroup of R ra for some integer n. The 
first minima of a lattice C is defined by Ai := nhn„ 6 £\{ 0 } ||u||. A basis of C is a 
set of linearly independent vectors 61 , • • • , bk such that C = Z&i + • • • + Zb*,. The 
determinant of C is det(£) = det(I? • B T ) where B = ( £ R fcxn is the 
matrix of a basis of C. For a full dimensional lattice £, the best upper bound we 
know on Ai(£) is in O (y / ndet(£) 1 / n ). The problem of finding a shortest vector 
v £ C is known as the Shortest Vector Problem (SVP), while the problem of find¬ 
ing v £ C such that ||u|| < 7 A 1 (L) for some 7 > 1 is known has 7 -SVP. A solution 













v to 7 -SVP satisfies ||t?|| £ O ( 7 - v /ndet(£) 1/,ra ). Given the matrix of a basis A as 
input, the LLL algorithm |LLL82| returns a basis (bj)j<„ such that d J^|y n £ 
2 °( ra ) in polynomial time in n and log(|A|). The BKZ algorithm [ AKSOl] with 
block size k returns a basis ( bi)i< n such that JfcJU £ 0(k n / k ) in time 
2°( fe ) Poly(n, log(|A|). Finally, the HKZ algorithm returns a basis ( 6 ,),;< n such 
that € 0(y/n) in time 2°( n \ The problem of finding n linearly inde¬ 

pendent vectors (t u)i<n such that maxi ||n, ; || < max( bi ) i<ri basis of £ max i ll^ill is 
the Shortest Independent Vectors Problem (SIVP), and y^y-SVIP efficiently 
reduces to 7 -SVP. 

Number fields A number field I\ is a finite extension of Q. Its ring of integers 
Ok has the structure of a Z-lattice of degree n = [K : Q], and the orders 
O C Ok are the sublattices of Ok which have degree n and which are equipped 
with a ring structure. A number field has r\ < n real embeddings (<7j)j< ri and 
2 r 2 complex embeddings (cq) ri <i< 2 r 2 (coming as T 2 pairs of conjugates). The 
field I\ is isomorphic to Ok < 8 > Q where Ok denotes the ring of integers of K. 
We can embed K in Ar := If 0 l ~ R ri x C r2 , and extend the < 7 ,;\s to Kr. 
Let T 2 be the Hermitian form on Ar defined by £ 2 ( 2 ;, x') := JV ai(x)o7(x'), and 
let ||x|| := s/Tfiy x , x) be the corresponding L 2 -norm. The norm of an element 
x £ K is defined by Af(x) = nLet ( ai)i<d such that Ok = ®iZai, 
then the discriminant of K is given by A = det 2 (£ 2 ( 0 ^, cfj))- The volume of the 
fundamental domain is yj\ A|, and the size of the input of algorithms working 
on an integral basis of Ok is in 0(log(|A|)). In K = Q(£ p «), the degree satisfies 
[K : Q] = (p — l)p s_1 and A = ±p p ‘’ 1 (p s ~ s ~ 1 ) j therefore log(|A|) ~ nlog(n) 
and we can express the complexity of our algorithms in terms of n (a choice 
we made in this paper), which makes it easier to compare with other lattice 
reduction result. However, most of the literature on class group computation 
presents complexities in terms of log(|A|), which is in general the right value to 
measure the input. For example, it makes no sense to express the complexity 
with respect to the degree of K in infinite classes of quadratic number number 
fields. 

Cyclotomic fields A cyclotomic field is an extension of Q of the form I\ = 
Q(Cn) where Cat = e 2 ’ l ' K / N is a primitive iV-th root of unity. The ring of integers 
Ok of I\ is Z[V]/(<?at(A')) where is the IV-th cyclotomic polynomial. When 
N is a power of two, A/v^) = X N / 2 + 1, and when TV = p s is a power of p > 2, 
we have A/v(A') = X pS Tp- 1 ) -\-X pS Tp- 2 ) _|_. —|-1 (which of course generalizes 
the case p = 2). Elements a £ Ok are residues of polynomials in Z[X] modulo 
<Pn(X), and can be identified with their coefficient vectors a £ Z<A N ) where 
4>(N) = p s ~ 1 {p — 1) is the Euler totient of TV (and the degree of <Pn(X)). 

The ideal class group Elements of the form ^ where I C Ok is an (integral) 
ideal of the ring of integers of K and d > 0 are called fractional ideals. Like the 
orders of K, they have the structure of a Z-lattice of degree n = [A;Q], and 










they form a multiplicative group X. Elements of X admit a unique decomposition 
as a power product of prime ideals of Ok (with possibly negative exponents). 
The norm of integral ideals is given by A f(I) := [Ok ■ I], which extends to 
fractional ideals by Af(I / J) := Af(I)/Af(J). The norm of a principal (fractional) 
ideal agrees with the norm of its generator N(xOk) = |A/’(a;)|. The principal 
fractional ideals V of K are a subgroup of V and ideal class group of Ok is 
defined by Cl {Ok) '■= X/V. We denote by [a] the class of a fractional a in 
Cl (Ok) and by h the cardinality of Cl (Ok) which is a finite group. In C\(Ok) 
we identify two fractional ideals a, b if there is a € K such that a = (a)b. This 
is denoted by a ~ b. 

Units of Ok Elements u £ Ok that are invertible in Ok are called units. 
Equivalently, they are the elements u £ Ok such that ( u)Ok = Ok and also 
such that A f(u) = ±1. The unit group of Ok where K is a cyclotomic field has 
rank r = n/2 — 1 and has the form 0* K = p, x (ei) x • • • x (e r ) where p are roots 
of unity (torsion units) and the e, are non-torsion units. Such (ei)i<r are called 
a system of fundamental units of Ok- Units generate a lattice £ of rank r in 
R. r+1 via the embedding 

x £ Ky —» Log(x) := (ln(|cri(a;)|), • • ■ , ln(|oy+i(a;)|)) 

where the complex embeddings (cq)i<n are ordered such that the first r = n/2 
ones are not conjugates of each other. The volume I? of £ is an invariant of 
K called the regulator. The regulator R and the class number h satisfy hR = 

y 1 ( 2^2 limg-n ((s - l)Gc(s)), where Gr(s) = JTW is the usual C" f unction 
associated to I\ and \fi\ is the cardinality of p the group of torsion units. This 
allows us to derive a bound h* in polynomial time under GRH that satisfies 
h* < hR < 2 h* (' |Bac95j ). When K = Q(Cp s ), logarithm vectors of units of 

the form Uj = for j £ X* s together with /x generate a sublattice of £ 

of index h + (p s ) where h + (N) is the class number of the maximal real subfield 
°f Q(,(n) |Was821. Lemma 8.1]. It is conjectured that h + (2 s ) = 1 (Weber class 
number problem) and that h + (p s ) remains bounded for fixed p and increasing s 
(see 1BPR04I 1. 

Notations Throughout this paper, ||A|| = maxjj \Aij\ denotes the infinite 
norm of a matrix. We denote by ln(a;) the natural logarithm of x and by log(x) 
its base-2 logarithm. 

3 High level description of the algorithm 

In cryptosystems based on the hardness of finding a short generator of a principal 
ideal (in particular [ SV10 ] and [GGH13] ). the secret key is a small generator 
g £ K = Q((n) of a principal ideal a C Ok, and the public parameters include 
a Z-basis of a. We present a subexponential method for retrieving a generator 
of an input ideal that is asymptotically faster than the current state of the 















art (BiablBF14j . Combined with the Bounded Distance Decoding method in 
Log(Z[£jv]*) presented in (CDPR16j . this yield a better classical attack against 
the schemes relying the hardness of finding a short generator in a principal ideal. 
We also show how to leverage the precomputation of a large set of relations 
between generators of Cl [Ok) to solve the PIP in Ok in time 2°(™ ) for a < 
1 / 2 . Combined with the techniques of [ CDW16 ], this provides a method for 
solving 7 -SVP in ideal lattices of K for 7 £ e d(n 1/2 ) with a better trade-off 
approximation/cost than BKZ. 

Solving the Principal Ideal Problem All subexponential time algorithms 
for solving the Principal Ideal Problem follow the same high level strategy. They 
derive from the subexponential algorithm for classes of fixed degree number 
fields |: Buc90] . which itself is a generalization of the algorithm of Hafner and 
McCurley [HM89a| for quadratic number fields. Let B > 0 be a smoothness 
bound and B := {prime ideals p with Af(p) < B}. We first need to compute a 
generating set of the lattice A of all the vectors (ei, ■ • • , e m ) £ Z m such that 

3a £ K, (a)0 K =p?---p%, (1) 

where m = \B\. When B > 12 In 2 |Z\|, the classes of ideals in B generate Cl {Ok) 
under the GRH |S Bac901 Th. 4], Therefore, [B, A) is a presentation of the group 
C\(Ok) and the search for a generating set of the relations of the form ([T]) is 
equivalent to computing the group structure of Cl (Ok)- Indeed, the morphism 

Z m — X ——>■ Cl (O k ) 

(ei,...,e m ) -» UiPT -* njPi] e< 

is surjective, and the class group Cl (Ok) is isomorphic to Z m / ker( 7 ro(^) = Z m /A. 
If we only compute a generating set for a sublattice of A of finite index, then the 
cardinality of the tentative class group we obtain is a multiple of h = \ C\(Ok)\- 
This can be tested by using an estimate of hR given by the methods of |Bac95l | 
in polynomial time under the GRH. If we are missing relations to generate A, 
we obtain a multiple of hR, and this tells us we need to collect more relations. 
Let a be an input ideal. We find an extra relation of the form a = (a)pf 1 • • • p^". 
The input ideal a is principal, if and only if p/ 1 • • • pf£" is principal too. Then, 
assuming we have a generating set for the lattice A of relations of the form {I]), 
we can rewrite pf 1 • • • p^* as a power-product of the relations generating A. More 
specifically, if the relations ( a]OK = Pi’’ 1 • • • pm” 1 , for z < to generate A, then 
there is x £ Z m such that xA = y for A = Then p^ 1 • ■ ■ p^T = 

( ai 1 ■ ■ ■ ■ Ok, which gives us a generator of a, a = (a • aq 1 • • • a%") ■ Ok- 

Theorem 1. Algorithm]]] runs in heuristic complexity 2°( n 1 + for arbitrarily 
small e > 0 when B = 2 n / with K = Q(Cp s ) and n = [K : Q], 

PIP with precomputation on K Algorithm |T] can be divided into two steps: 
the computation of a basis of the lattice of relations between the classes of a 




















Algorithm 1 Principal Ideal Problem 
Input: Ideal a C Ok, smoothness bound B. 

Output: false or f3 £ K such that u = (/ 3)0k■ 

1: Compute B = {pi,..., p m } of norm less than B. 

2: Compute a lattice A C Z m of random relations between elements of B. 

3: h <— |Z m /yl|, R <— regulator of K. 

4: Check h ■ R with the estimates of IBF14l lSec. 4.3]. Find more relations if necessary. 

5: A ■£- ( ei,j)i,j<m , where (a*) = ]/[; p)’’ J are a basis of A. 

6 : Find y £ Z m such that o = (a)p/ 1 ■ ■ ■ pUp. 

7: Solve xA = y. 

8 : return false if no solution or a ■ a { 1 ,..., a ^1". 


generating set for C \{Ok), and the decomposition of the input ideal a with re¬ 
spect to this generating set. The computation of relations between generators 
of the ideal class group is independent of the specific instances of the PIP and 
can be precomputed. Moreover, the larger the smoothness bound B is, the faster 
the decomposition of an input ideal over B is. Naturally, this implies that the 
precomputation is more expensive since it requires the calculation of more rela¬ 
tions. 

Theorem 2. If we precompute all relations between ideals of norm less than 
B £ 2°( n 'l for some 1/2 < a < 1, then the cost of solving the PIP is in 
O (n^~ 

2 V J for arbitrarily small e > 0 while the cost of the precomputation is 

in 2 <5 ( n “). 


For example, for a = 2/3, a precomputation of all relations between prime 
ideals of norm less than B £ 2 0( ” ) can be done in time 2°^""/ It allows us 

to solve all instances of the PIP in Ok in time ^ for arbitrarily small 

£ > 0 

Reducing the short-PIP and 'y-SVP to the PIP Assume that the input 
ideal a C Ok is generated by a short element g, and that we have computed 
a £ Ok such that u = ( a ) • Ok- Given a generating set 71 , • • ■ , 7 r of the unit 
group 0* K , all generators g' of a are of the form 

g = a - for some (ay, • • • , x r ) £ IT . 

The problem of finding g (or another short generator, which is equivalent for the 
sake of a cryptanalysis), boils down to finding (xi, • • • , x r ) such that a-'yf 1 • • • 
is short. In the lattice of logarithm embeddings, this can be done by finding 
(xi, ■ ■ ■ , x r ) such that || Log(a) — x* Log(yi)|| is small. To do this, we find the 
closest vector to Log(a) in the lattice C := ZLog(yi) + • • • + ZLog(y r ). 

The closest vector problem is a notoriously hard problem without prior 
knowledge on the properties of the lattice and the target vector. In our situ¬ 
ation, things are made easier by the knowledge of the distribution of the target 









vector (given in the description of the cryptosystems |SV101GGH13| 1 and of a 
good basis for £. Indeed, the decryption algorithm of schemes relying on the 
hardness of the short-PIP works under the assumption that the generator g is 
small. This means that the target vector Log(a) is very close to the lattice C. 
Our instance of the Closest Vector Problem therefore turns into an instance 
of the Bounded Distance Decoding problem (BDD) since we have a bound on 
dist(Log(a), £). Moreover, we know a very good basis Log( 7 j) for C with which 
Babai’s nearest plane algorithm |Bab85] returns the correct value. 


Algorithm 2 short-PIP to PIP reduction 
Input: A generator a £ Ok of the ideal a C Ok- 
Output: A short generator of a. 

1: Let ( 7 i)i< r be the cyclotomic units of K. 

2: £ 4- ZLog( 7 i) H-ZLog(yy). 

3: Find the closest vector JA Xi Log( 7 i) G £ to Log(a) by using Babai’s round-off 
method. 

4: return — a . 

Ui 7 i 


Theorem 3 (Th. 4.1 of [ CDPR16] ). When K = Q{Cp s )> Algorithm^ runs 
in polynomial time. 

A short generator of a principal ideal in K = Q(C P s ) yields a solution to 7 - 
SVP for 7 £ . Moreover, under reasonable assumptions on the ideal class 

group, given an arbitrary input ideal I C Ok, the heuristic methods of [CDW16| 
allow us to find an ideal J with Af(J) £ 2°( n3 ) such that IJ is principal. Then 
a short generator of IJ is a solution to 7 -SVP for / with 7 £ e°^^\ The close 
principal multiple algorithm of [CDW16l| uses the decomposition of an input 
ideal on a short generating set of the ideal class group. This can be done in 

quantum polynomial time using [ BS16] , or in time 2°( n3 7 ) for arbitrarily 

small e > 0 given a precomputation of cost in 

Theorem 4. If we precompute all relations between ideals of norm less than 
B £ 2°( n ) for some 1/2 < a < 1, then the cost of solving 7 -SVP for 7 £ e 

is in 2 V / for arbitrarily small £ > 0 while the cost of the precomputation 

is in 2° ( ' n ). 

4 Smoothness of ideals 

Given B > 0, the expected time to find a relation of the form (a) = p ^ 1 ■ • • p^ 
where Af(pi) < B depends on the probability that a random ideal a of bounded 
norm is R-smooth, that is to say of the form a = p ^ 1 • ■ • p(/". In [Sco04j , Scourfield 





















established a result on the smoothness of ideals in a number held comparable to 
the ones known on integers. Let 

&(x, y) := |{a C O K,Af(a) < x, a y~smooth}|, 

and e > 0, then ~ A Kp(u), where u = , p is the Dickman function, 

A k is the residue of the zeta function Ck(s) at s = 1 and (lnln(x))i +e < ln(y) < 
ln(x), x > xq(s) for some xo(e). In the case where K is normal and In ^| —> 0, 
A k can be bounded absolutely, but there is no such result in the general case. 
During our relation search algorithm, we draw principal ideals at random. There 
is no known analogue of Sourheld’s result for restricted classes of ideals. This 
is one of the reasons why the complexity of the number held sieve [LLMP90] is 
only heuristic. We therefore rely on the following heuristic for the smoothness 
of ideals. 

Heuristic 1 We assume that the probability P(t, p) that a principal ideal of Ok 
of norm bounded by l is a power-product of prime ideals of norm bounded by p 
satisfies 

P(i,p) > e (-“ ln “( 1 +°( 1 ))) ) f oru = ln(t)/In {p). (2) 

5 Computation of Cl (Ok) 

In this section, we show how to compute Cl (Ok) where K = Q(C P «) is a cyclo- 
tornic held of prime power conductor in time c) for some constant c > 0 

and A = disc(iL) under Heuristic |T] The best known heuristic complexity for 
helds of degree n £ <9(log(|Z\|)) is in 2°( n where e > 0 is an arbitrarily 
small constant [ BFl4 j. Cyclotomic helds of prime power conductor have a defin¬ 
ing polynomial with height 1, which allows us to use a different technique than 
the one described in |BF14| . All we have to do is to draw elements a £ Ok with 
small coefficients on the power basis 1, ( p s, ■ ■ ■ , and test them for smooth¬ 
ness with respect to a factor basis B = {p \ Af(p) < B} for some smoothness 
bound B > 0. The smoothness test is simply done by checking if Af(a) is 13- 
smooth as an integer using either a factoring algorithm |LLMP90IPom85) or a 
dedicated smoothness test algorithm [Berj . Every time we have a relation of the 
form 

(°0 = Pi 1 ''' Pm > 

we store the vector (ei, • • • , e m ) in the rows of a matrix M . Once enough rela¬ 
tions are found, we complete the computation as in all previous subexponential 
methods |Buc891HM89blBF14| by processing the matrix M. 

The run time of Algorithm [3] depends on the probability of smoothness of 
principal ideals, which is ruled by Heuristic [T] This gives us a bound on the 
average time to find a relation. However, there is no indication that the relations 
we find are distributed according to a distribution in A allowing us to terminate 
the computation in subexponential time. Suppose we found a full rank sublattice 
Aq of A, Hafner and McCurley |HM89a| proved under GRH that their relation 

















Algorithm 3 Computation of the class group of Q(£z) 

Input: A smoothness bound B > 0, a constant A > 0 and a conductor N. 

Output: di such that 01(0^) = $jZ /dk for K = Q(0v) and M G Z kxrn ,(oti)i<k G 
OJ- such that for each row Mi of M, B Mi = {on), where B = {p | A/”(p) < B}. 

1: Compute B = {p | Al(p) < B }. 

2: m G- |B|, k^m, M G Z 0xm . 

3: while The number of relations is less than k do 
4: {ai)i< n A [-A, A] n , a <- J2i OiCk- 

5: if (a) is B-smooth then 

6 : Find (ei),< m such that (a) = f], P?' ■ 

7 "<-(&)• 

8: end if 

9: end while 

10: if M does not have full rank then k <— 2k and go to Step 3. 

11: H <r- HNF(M). d <- det (H). B <- ker(M). 

12 : L <- (Log(ai), • • • , Log(a fc )}. C t- (L Si ). 

13: Let V be the volume of the lattice generated by the rows of C, and h* be an 
approximation of hR given by the methods of |Bac 95]. 

14: if dV > 1.5 h* then k «— 2k and go to Step 3. 

15: diag(di, • • • , d m ) <— SNF(iL). 

16: return (di)i< m , M. ( ai)i< k ■ 


search for quadratic fields yielded relation vectors such that the probability of 
drawing one in the the coset w + Aq for any w G A was bounded from below 
by a large enough bound. This allowed them to justify that the algorithm would 
terminate with high enough probability in subexponential time. It it reasonable 
to assume that by drawing coefficient vectors uniformly at random in [—A, A], the 
generators of the principal ideals of our relations will be well enough distributed 
to justify that the relations themselves are equally distributed in A, but proving 
it remains an open question. 

Heuristic 2 Let Aq be a sublattice of A corresponding to the relations between 
primes in B, and A > 1 be a constant. If {ai)i< n is drawn uniformly at random 
in [—A, A] n , and if {o)Ok = B w °‘ is B-smooth, then for any w G A 

PKSW + A °)-^(1 + 0 ( 1 ))' 

Proposition 1 (GRH+Heuristic [l]THeuristic [2]). Algorithm 0 with B G 
1 and N of the form p s is correct and its heuristic complexity is in 2°( n 1 

Proof. The run time depends on the smoothness probability of a G Ok drawn 
in Step 4. Let P G Z[X] such that a = P((n) for N = p s . The norm of a 
is given by Res {<I>n,P) where <Ln is the iV-th cyclotomic polynomial. The first 
n rows of the resultant have length less than yfn while the last n rows have 
length bounded by y/nA. By Hadamard’s bound, the resultant is bounded by 









n n A n . This means that log(|A/”(a)|) < nlog(n)(l + o(l)) (as A is a constant). 

Let u := loS io^B)^^ i from Heuristic [I] the probability of finding a smooth a is at 

least e-^M’dH+ol 1 )) g — 1 . and therefore the whole relation search takes 

2°( n 7 ) 

time 2°( n h The linear algebra phase (HNF and SNF computation) takes time 
| ; g| 4 +o( 1 ) g 2°( n ). which is asymptotically the same as the relation collection 

phase. 


Corollary 1 (GRH+Heuristic [TlTHeuristic [2]) . Algorithm^ has heuristic 
complexity 2°( n “) when B £ 2 0 ( n “^ for i < a < 1 and b > 0. 


6 A q-descent algorithm to solve the PIP 


In this section we show how decompose an input ideal / C Ok into a B-smooth 
product for ideals in C\(Ok) for some B > 0. In other words, we find pi, • • • ,p TO 
with Af(pi) < B , (ej)i<m £ Z m and a £ K such that I = (a) P^- Then / is 

principal if and only if ]~[ f p®* is principal as well, which is checked by solving a 
linear system as described in Algorithm [I] In the case where I is principal, this 
process also returns a generator. 

To decompose /, we execute a q-descent consisting of searching for small 
elements a of I such that (a) /I is smooth with respect to ideals of norm less 
than I. Then we iterate the process on all divisors of (a) /I that have norm 
greater than B until we finally break it down into a product of ideals of norm 
less than B. 

The idea of the q-descent derives from the algorithms based on the number 
field sieve [LLMP90] to solve the discrete logarithm problem in time L q { 1/3) 
in F 9 (see in particular }AD93lGor93lJLSV06| h This idea was also used to 
solve the discrete logarithm problem in the Jacobian of certain classes of C a b 
curves fEGTl . A q-descent strategy was used to derive relations in Cl (Ok) 
in |BialllBiablBF14] , but it was restricted to classes of fields with degree n £ 
0(log(| A\) a for some a < 1/2. In this paper, we achieve a heuristic L^{ 1/2+e, 1) 
complexity for any e > 0 in cyclotomic fields despite the fact that the degree of 
these fields satisfies n £ @(log(|Z\|)). 


Finding short elements in I We assume that I is an ideal of Ok- We want 
to find elements a £ I of small norm. To do this, we restrict the search to the 
lattice 


•£/ + Z(l>2,2CiV + ^2,1.) + • • ’ + Z( Vk,kCN + v k,k-lCN 1 + ‘ ‘ ‘ + v k) <= I , 












for some k > 0 where N = q s is the conductor of K. The coefficients Vij are 
given by the HNF of the Z-basis of I which has the shape 

\ 

Lemma 1. We can find a vector in Ci of length less than y/kAf{I)^ in time 
2 °( fe ). 

Proof. The determinant of Cj is that of the upper left k x k submatrix of H and 
satisfies det(£/) < ]~[ ( < y ty, = A/”(/). An HKZ-reduction returns a basis whose 
first vector has length less than \/fc(det(£/)) 1 / fc in time 2°( k ' ) . 

Lemma 2. In time 2°^ k \ we can find an element a £ I such that A1(a) < 

n n N{I )*. 

Proof. Let a be the first vector of an HKZ-reduced basis of £/. The calculation 
of this basis takes time 2°^ and by Lemma [Q the length of its first vector 
(«i, • • • ,otk) is bounded by \fkAf(I)* . By the same argument as in the proof of 
Proposition [U the algebraic norm of a := ]T/ : onC, l N satisfies 

M{a)< ,a fc )||r<rWV^AA(7)t. 

<n n 

A round of the q- descent Let e > 0 be an arbitrarily small constant and q 
be a prime ideal with log(7V(q)) < n b for some 1/2 < b < 1. We would like to 
decompose the class of q in Cl (Ok) as a product of primes p with log(7V(p)) < 
n b ~ e in time 2°^ ,2+e \ 


H := 


(uip 0 . 0 

1 ) 2,1 1 ) 2,2 ' ■ • 

: 0 : 

: : 0 

\vn ,i 0 ... 0 vn,n 


Algorithm 4 One round of the q-descent 

Input: Prime ideal q with log(A/”(q)) < n b , a constant e > 0 and A > 1. 

Output: Prime ideals pi, integers a and a £ q such that (a)/q = El, Pi* an< l 
log (A£ (pi)) < n b ~ e . 

1: S 4— {pi such that Af(pi) < 12log(|A|) 2 }. 

2 : while no relation has been found do 

3: ( Xi ) i — [0, A]l s / I 4— qlliPE where R is the uniform distribution. 

4: Construct a basis for the lattice Ci with k = n 1,/2+E . 

5: HKZ-reduce Ci and let a be its first vector. 

6 : if (a) is 2 n -smooth, find (pi),(ei) such that (a) = ]~IiPi*' 

7: end while 

8 : return a, (a), (pi), (a). 









Proposition 2 (GRH + Heuristic [T]) . Let £ > 0 be a constant, 1/2 < 6 < 1, 
and q be a prime ideal with log(A/"(q)) < n b . There is a large enough constant 
A such that Algorithm^ returns a decomposition of q in C\(Ok) cls a product 
of degree one primes p; with log(A/”(p)) < n b ~ e in time 2°(™ ) when the 

conductor N is of the form p s . 

Proof The ideal I created in Step 3 of Algorithm [I] satisfies A f(I) = A/”(q) 1+ °*' 1 ' ) . 
Therefore, according to Lemma [2] the a derived in Step 5 satisfies log(A/ r (a)) < 
^ log (A/”(q)) (1 + o(l)). As log(A/’(q)) < n b and k = n l / 2+e , this gives us 
log(A/”(a)) < n 1 / 2 + b - £ ( 1 -\- o(i)). We want ( a)/I to be R-smooth for log(i3) = 
n b ~ e . Let u = 10 fog(B)^ i the probability of finding such an a is 

p = e —uln(u)(l+o(l)) _ _ \ _ 

20(ti 1/2 (1+o(1)) ' 

For any constant A > 2, the size > 2™ 2 of the search space is sufficient to 
find our a. The run time of this procedure is dominated by the reduction of C q 
which takes 2°W = 2°( nl/2+£ ). 

Full procedure Assume we are given an arbitrary ideal I C Ok as input. Before 
initiating the q-descent, we need to break it down into a product of primes q; 
with log(qi) < n. To do this, we multiply a by an random power product of 
ideals of the factor base B, and BKZ-reduce it. This is done by finding a short 
element <f> £ c where a -1 = with d £ Z>o and c CO. When using the BKZ 
algorithm with block size l = n 1 / 2 , such a short element satisfies 

M <n" 1/2 / 4 |A|^A/-(c)^. 

, n 3 / 2 loefn.) , - 

Then, the ideal b := jCi satisfies b C Ok , A/*(b) < 2 2 and it is 2 n - 

smooth with probability ,-,o (n i/ 2 1 (1+0(1)) by following the same argument as in the 

proof of Proposition [2] Repeating the process 2 nl/2+ ° (1) times yields the original 
2"-smooth decomposition. 


Algorithm 5 Initial decomposition 

Input: An ideal I C Ok, factor base £>, and a constant A > 1. 

Output: a € K such that b := ( a)I is 2™-smooth. 

1: a <— ] _ [ i p®* for random ei < A (use a square-and-multiply strategy). 
2: c <— IcC 1 where l is the denominator of n. 

3: Find a BKZ reduced f> £ c with block size l = n 1 ^ 2 . 

4: a j. 

5: if b := (a)/ is not 2 n -smooth for degree 1 primes then go to Step 1. 

6 : return a. 










Algorithm 6 q-descent 

Input: I C Ok and an arbitrarily small e > 0. 

1 /2 

Output: Prime ideals (q,)i<; G B with Af(<\i) < 2 n , integers (ei) and {<l)j)j<k G K 
such that I = EI' !!;<; <\7 
1: Decompose / = \<j> i) fX ; q^ using Algorithm[5] 

2: genList <— {<pi}, primeList t— {qi,..., q;}, expList •<— {1, • • • , 1}. 

3: &«- 1. 

4: while 6 > 1/2 do 

5: for q G primeList with log(A/”(q)) > n b ~ e do 

6 : Find (qi)»<i, (e<)i<i and </>*, such that q = (<j> h ) n»<i li* b y a round of the 

q-descent. 

7: genList <— genList U {(/>*,}, primeList <— primeList U {qi,..., q;}. 

8 : expList G- {ei, e{\. 

9: Remove q from primeList and expList. 

10: end for 

11 : b «— 6 — e. 

12: end while 

13: return genList, primeList, expList. 


1/2 

Proposition 3. Algorithm\Qdecomposes I as an 2" -smooth product in C\(Ok) 
in time 2°( n + ■* for arbitrarily small e > 0. 

Proof. The cost of the initial decomposition is in 2°^ where l = n 1 / 2 is the 
block size of the BKZ reduction. The depth of the decomposition tree arising 
from the q-descent is ^ which is a constant. The arity of this tree is at most n 2 , 
so Algorithm [4] is called at most polynomially many times. 

7 Practical improvements to the computation of Cl {Ok) 
and the resolution of the PIP 

The subexponential methods we presented in Section [S] and Section [G] have a 
heuristic asymptotic run time in 2°(" / + \ and depending on the choices made 
for implementation, the practical performances of these algorithms can vary sig¬ 
nificantly. In this section, we present some practical improvements which do not 
affect the asymptotic complexity, but which impact the practical run time. As 
the computation of the ideal class group and the resolution of the Principal 
Ideal Problem are widely studied problems, there are many existing improve¬ 
ments that readily apply to our algorithm, and many of them are folklore. For 
example, for each relation p; = (a) we find, we immediately get an additional 
| Gal(.ftf/Q)| — 1 others by including pf = (cr(cc)) for all a G Gal(A/Q). This 
method is present in the class group algorithm available in both PARI |PAR14| 
and Magma | BCP97 j. The large prime variants are another folklore practical 
improvement. It was originally described in the context of integer factoriza¬ 
tion (LM9lfP LL + 02]. and was successfully adapted to the resolution of the DLP 
in finite fields, and in the Jacobian of curves. The single large prime variant 














for computing Cl (Ok) was first presented by Jacobson |Jac99] while the double 
large prime variant was first successfully used for computing class groups by 
Biasse |Biaa| . Other improvements impacting the practical performances of our 
methods include quadratic jJacOO] and lattice [BF12] sieving, as well as opti¬ 
mized methods of computing the HNF and the SNF of a large integer matrix. In 
this section, we restrict ourselves to improvements that are very specific to the 
settings of the algorithm. More specifically, we develop two points: 

— We show how to efficiently reduce the resolution of the PIP in C1 (Oq(^ jv )) 
to an instance of the PIP in C1 (C , q(^ w )+). 

— We show how to enhance the relation search by looking for elements of small 
norm near the cyclotomic units. 

Solving the PIP in the maximal real subfield Using subfields (and in par¬ 
ticular the maximal real subfield K + ) is folklore. Several references use a variant 
around this idea. We specifically rely on the Gentry-Szydlo method (GS02j and 
its extension by Howgrave-Graham and Szydlo [HS04] for solving norm equa¬ 
tions of the form Nqu n )/q(c; n )+ (x) = g. Halving the degree of the field can have 
a significant impact on the practical behavior of the PIP algorithm. The input 
size which is given by log(|Z\|) is halved in the case of a power of two cyclotomic. 
In addition, the LLL algorithm has a practical behavior significantly better than 
the worst case estimates for lower dimensions. Indeed, it is expected to return 
a basis (6,;) such that ~ (l-02) d (see [NS06j h This makes a difference 

in practice during a relation search based on the search for small elements in 
LLL-reduced bases of idealfl 

Given an input ideal I C Ok , we want to find a generator of the ideal I' 
generated by A 5k/k+(I) i n Ok+- The ideal /' is principal. However, the norm 
map is not surjective. This means that there can be a generator of I' that is 
not the norm of a generator of I. If we solve the PIP for /' in O k + and find 
g £ O k + such that I' = (g ), then we need to find another generator g' that is 
the norm of an element in K. To proceed, we find the right unit u £ 0* K+ such 
that g' = ug is totally positive. Given a set of fundamental units (ui, • • • ,u r ) 
for 0 * K+ , this can be done by solving a linear system in F 2 . For a £ I\ + , let 
5(a) £ Fj be the signature of x, i.e. 5(a)i = 0 if cq(a) > 0, and 5(a)i = 1 
otherwise. Let M = ( 5(ui)j)ij< r , then the right product of the u,; turning g into 
a totally positive number is u = J~[j vff where (aq, • • • , x r )M = 5(g). 

Proposition 4. When K is of the form K = Q(C 2 s )> there is always a solution 
to the system (x±, • • • , x r )M = 5(g). 

Proof. According to |Gar76l Prop. 1], there are units of arbitrary signature in 
Q(C2-). Therefore, there must be a linear combination of the signatures of the 
units in the generating set that matches 5(g). 


1 In K + the height of the defining polynomial is higher, therefore other relation search 
methods may be used 




















Proposition 5. When K = Q(C 2 s )> a totally positive generator g' of I' is nec¬ 
essarily the norm of a generator of I. 

Proof. I 1 is generated by at least one totally positive number (i.e. the image 
JVK/K+(go ) of a generator go of I by the norm map). Then from [KL07|Web99| . 
we know that the totally positive units are exactly the squares of units, which 
are also the norms of the units of Ok that are in Ok+ ■ The two totally positive 
generators g' , Nk / k+ (go) of I' differ by a totally positive unit, hence a square, 
and hence the image of a unit u o of Ok H Ok+ by the norm map, i.e. g' = 
■^K/K+( u o)f^K/K+(9o) = f^K/K+( u oga), which is the image of a generator of I. 

Before applying the Howgrave-Graham and Szydlo |HS04| norm equation 
resolution method, we need to make sure that the input is polynomially bounded, 
which is not guaranteed if we take an arbitrary solution to the PIP in Ok+ 
(even after adjusting the signature). However, we know the existence of a short 
(totally positive) generator of V. namely the norm of a short generator of I. 
We are facing an instance of the Bounded Distance Decoding problem similar 
to the one solved by Cramer et al. | CDPR16 |. The logarithms of the norms of 
the cyclotomic units enjoy similar geometric properties as the logarithms of the 
cyclotomic units themselves. Therefore, applying the method of [CDPR16| on g' 
yields a small generator g" of /' on which we can apply the algorithm for the 
resolution of the norm equation Nk / k+ ( x ) — g” given in [HS04| . 


Algorithm 7 Reduction from the PIP in Ok to the PIP in Ok+ 

Input: I C Ok, I' = N k /k+ ( i )O k + , 0* K + = («i, • ■ • ,u r ), g with 7' = ( g ). 

Output: go G Ok with I = (go). 

1 : AI i (^('U’i)j)i,j<r, V ^ ^(q)‘ 

2: Solve (sq, • • • ,x r )M = y. g’ t- fL U T ■ 

3: Find a close vector Log(w) to Log (g) in C = ZLog(ui) + ■ • ■ + ZLog (u' r ) where the 
u'i are the norms of the cyclotomic units of Ok by using the methods of 1CDPR16] . 

4: g" «- g' ■ u" 1 . 

5: Solve N k /k+ (go) = g"■ 

6: return go. 


Search for relations around the cyclotomic units Our relation search 
method to compute Cl (Ok) consists of drawing polynomials /(Ov) with small 
coefficients at random and to check the norm of the resulting algebraic integer for 
smoothness. As we saw, the algebraic norm is bounded from above by a function 
of the length of the vector of coefficients of f(X). Therefore, it is natural to 
search elements represented by a very small coefficient vector. 

We observe that A/”(/(Cat)) is a polynomial in the coefficients of /, and is 
therefore a continuous function. In cyclotomic fields, we know a set of minimums 
for this function before hand: the cyclotomic units u a = . For each a, 




















Af(u a ) = 1, and we expect small variations around the u a to yield algebraic 
numbers of small norm, although the coefficient vector of the corresponding 
polynomials might be long. In Table [U we compared the strategy consisting of 
drawing algebraic integers that are small variations around the cyclotomic units 
to the sampling of random coefficient vectors. We drew coefficient vectors of 
the same Hamming weight w = 10, 20,30, 50, 75,100 in K = Q(C 2 512 )- For each 
w, we drew 100 random coefficient vectors of coefficients in {0,1} (denoted by 
“Random vectors”), and we drew 100 elements that differed from a cyclotomic 
unit u of weight in by a term in Q N for some i. 


Table 1 . Average log(A/”(a)) 


Weight 

Random vectors 

Unit variations 

10 

301 

154 

20 

430 

156 

30 

503 

158 

50 

586 

159 

75 

638 

156 

100 

674 

154 


In Table |T| we observe that the size of the elements a increases as the Ham¬ 
ming weight of their coefficient vector over the power basis gets larger. Mean¬ 
while, at a comparable Hamming weight, the size of a small variation around a 
cyclotomic unit does not seem to be affected. In fact, it is the distance to the 
unit that seems to rule the size of a. For example, we measured small variations 
around uioi (of Hamming weight 101). 

- log(uioi +Cn) = 151. 

- log(« 10 i + CCjv°) = 204. 

- log(u 10 i + Cat + C n ~ CD = 238 . 

- log(«ioi + (% + Cn ~ a 50 + CD = 283. 

If we draw a' and a at random such that log(|jV"(cC)|) < I lQ gW( a ))l f or some 
d > 0, then the expected time T' to find a smooth a' satisfies T' < \/T where 
T is the expected time to find a smooth a. Our numerical results indicate that 
the unit variation method should provide a significant speed-up over the random 
vectors method even when we allow a Hamming distance larger than one. 


8 PIP and 7 -SVP in Q(Cp s ) with precomputation 

In Section [0] we showed how to compute the PIP in heuristic subexponential 
time 2°( n / + ‘K This provides an attack against schemes relying on the hardness 
of finding a short generator of a principal ideal such as |SV10IIGGH13| . Also, 









according to |CDPR16j . the size of a short generator of I resulting from the 
BDD algorithm on the log-unit lattice is within e° of the first minima of 
the ideal lattice I. Moreover, it was recently conjectured [CDW16] that for most 
fields Q(C), any ideal of was within a short enough ideal multiple from a 

principal ideal. Therefore, solutions to the PIP in yields solution to 7 -SVP 
in ideals of (Pq(^) for 7 £ Since the methods of Section [ 6 ] run in heuristic 

subexponential time 2°( n 1 +e \ this does not offer a better trade-off than using 
a BKZ reduction with block size in 0(-/n). 

In this section, we show how to leverage a subexponential precomputation to 
solve all instances of 7 -SVP in ideals of for N = p s and 7 £ e° in time 

better than 2°('/™\ thus achieving a better trade-off than the BKZ reduction. 
To the best of our knowledge, this is the first time a method for solving 7 -SVP 
beats the BKZ time/approximation trade-off even with a precomputation on 
the held. The general idea is to use the ideal class group computation given 
by Algorithm [3] with a larger factor base bound B. This gives us a basis for all 
relations between the prime ideals of norm less than B. Then given an input ideal 
/, we first compute a and qi, • • • , q*, such that I = (a) JJ, q* with A/”(qi) < B, 
and then we solve the PIP problem for q^. The larger the smoothness bound 
B is, the more expensive the precomputation gets. Meanwhile all subsequent PIP 
resolutions using this precomputation get faster since their run time is dominated 
by the decomposition in Cl (Ok) of I as a product of ideals of norm bounded by 
B. 

1. Precomputation: Given B, find a basis for the lattice C of vectors (e,;)i<fe 
such that Hi Q? f° r the Af(qi) < B. 

2. Decomposition: Given / and B, find (qi)j<fc and a £ K such that I = 

3. Resolution: Given the decomposition of I and £, find a solution of 7 -SVP 
for I. 


Precomputation step Given B , Algorithm [3] returns a basis {b 1 , • • • , bk) of the 
lattice C of vectors x such that B x ~ (1) for B = {p | Af(p) < B} together with 
a.i £ K such that B bi = (ctj). Our precomputation step additionally processes 
this basis and the (a*) to return an HNF-reduced basis (hi,-- - ,h m ) for C. 
Using [StoOOl Prop. 6.3], we can find a unimodular U £ Glfe X fc(Z) such that 

fhn 0 ... 0 \ 

: h 2 2 ' • : 

: : 0 

* * ... h]y jv 

0 . 0 

V 0 . 0 


UB = 












is the HNF of B = (ft)j<fc with ||[/|| < (-ftro||I?||) m in time 

O ( km 6,-1 log(/3) + fcmlog(m) Mult(log(/3))) 

for f3 = (y / rn||i3||) m , Mult(:r) the complexity of cc-bit integer multiplication, and 
2 < 6 < 3 the matrix multiplication exponent. The matrix H = UB has a 
small essential part. Under GRH, hij = 1 for i > 12 log(|Z\|) 2 . We leverage this 
to facilitate the resolution of the linear system giving the solution to the PIP. 
However, for this to yield a generator (as opposed to just the answer whether or 
not / is principal), we need to compute the (/3 i)i< m such that riycfe a j '" 3 = ft 
for i < m. As the coefficients of U and the number of terms m in the product 
are large, we cannot afford to write down these algebraic numbers on the power 
basis. However, we know that they are used to compute an element of I whose 
length is within of the first minima Ai (/) < of the 

ideal lattice I. So we compute ft mod pj for a collection of split prime ideals 
pi,- - • ,p; such that rijW(Pj) < e n n n / 2 \A\J\f(I). 

We also need to keep Log(ft) as part of the precomputation as they are 
needed for computing a short generator of a principal ideal by solving an in¬ 
stance of the BDD in Log(Z[(/v]*). Each of these values satisfies Log(ft) = 
)T/ ;<fe Uij Log(ay). The logarithm vectors of the ay have polynomial size, but 
the bit size of the Uij is in 2°(™ ) for 1/2 < a < 1 depending on the param¬ 
eters of the precomputation. As we are aiming at lowering down the cost of 
subsequent resolutions of the short-PIP which requires the values of Log (Pi), we 
must find different generators corresponding to the rows of UB. Let ft such that 
{pi,-- - , pi 0 } = {p I AZ'(p) < 12 ln(|Z\|) 2 } and ii such that A/'(p,: 1 ) > 121n(|Z\|) 2 , 
then /ft is the generator of the principal ideal p^ • (1U,P>0 = (MOk- 
We use the BBD solution in the log-unit lattice of Cramer et al. [CDPR16 ] to 
find /ft such that p,^ • Pj* 0 ’ 3 ) = (/ft)/?# and such that the bit size of 

the representation of Log(/ft) is bounded. 

Proposition 6 (GRH Heuristic |T|) . Assume that B £ 2 for a > 1/2, 
and that l £ 0(log(|Z\|)), Aftpj) £ 0(log(|Z\|)), then the heuristic expected run 
time of Algorithm 0 is in 2°( raa ), and the bit size of the representation of the 
Log(ft) is polynomial in n. 

Proof. The run time of Algorithm [8] is clearly dominated by the cost of the 
search for relations and the computation of the HNF of the relation matrix 
(together with the premultipliers). We need to bound the Log(ft). The upper 
bound on a generator ft of the principal ideal A = {{,<„, p'j'" 1 is essentially 
given by the norm of the integral ideal A. When * < ft, 1% has the shape A = 

rii<i 0 Pj' 0 ' 1 while when i > i 0 , A is of the form /, := p 4 • Pj^)- For 

each j < ft, Aftpj) < 121n(|Z\|) 2 while Aftp,;) £ L^(a,b) if i > io and fty < 

| Cl(Cft)| £ 0{^/\A\) for i, j < io . Therefore, in any case Af(Ii) £ , and 

lift|| < 2 d (” 1/2 )AT(A) 1/n £ 2®(l zi l>. For each a £ Gal(AT/Q), max, |a(ft)| < 




Algorithm 8 Precomputation step 

Input: Split primes (pj)j<z, B > 0, and conductor N. 

Output: H in HNF form with (/ 3j mod pi) such that B Hi = (/3i)Ci/c for B = {p | 
Af(p) < B}, and (Log($#))j< m . 

1: Compute a generating set bi , ■ ■ • , b k of the lattice £ of vectors x such that B x ~ (1) 
and such that B bi = (a*) using Algorithm [3] 

2: Find U G G1 fcxfc(Z) such that U ■ B = H in HNF form for using IStoOOl 

Prop. 6.3]. 

3: for i < k, j < l do Compute /3i mod pj := a™ 1 ’ 1 ■ ■ ■ a k t,k mod pj. 

4: Let u i, • • • ,u r be the cyclotomic units of Q(Ov). 

5: for 1 < % < m do 

6 : Ii-^U 

7: Let (xj)j<r be the output of Algorithm [2] solving the BDD on input (uj)j< r . 

8: f5j mod pr- <— Mj 1 • • • Ur r /3j mod pfc for j < m, k < l. 

9: Log (/3j) t— *i Log(ui) H-h x r Log(u r ) + Log(/3,) for j < m. 

10: end for 

11: return H, (/3i mod Pj)i<m,j<l, (Log(/3j))j<m 


HAII S and min CT |cr(^)| > 

all a G Gal(A7Q), |ln(|a(ft))| G 




(max, Rft)ir 1 - 2°W^I) 

0(|Z\|), and the representation of the vector 
Log(/3j) has a polynomial bit size in n. 


Therefore, for 


Decomposing I The second step of our search for a generator of I satisfying 
Af (I) < 2 n is to break it down as a product of ideals of norm less than B G 
2°( ra + ) for an arbitrarily small e > 0 in time 2°( n + ( ^ where 

1. b<7a-2. 

2. § <a< 

We proceed by a q-descent procedure similar to that of Section [G] Given a prime 
ideal q such that log(A/"(q)) < n b , we look for a G q such that (a)/q = 119* 
where the q* are prime ideals satisfying log(A/”(qi)) < n b ~ e . We look for small 
vectors of £/ with the same definition of £/ as in Section [6] by using the BKZ 
reduction method with block size l := n a and by parameterizing C q with the 
degree k := (l min f 4 “-tH 2 a- 1 -d. 

Lemma 3. Let l < k < n. By using a BKZ reduction on Ci, we can find a 
vector in Ci of length less than l k ^ 2l Af(I)k in time 2°®. 

Proof. The determinant of Ci is that of the upper left k x k submatrix of H 
and satisfies det(£/) < ]~[ i<JV v i,i = An BKZ-reduction with block length 

l returns a basis whose first vector has length less than l k ^ 2l (det(Ci)) 1 ^ k in time 

2 °®. 

Lemma 4. In time 2°®, we can find an element a £ I such that Af(a) < 









Proof. Let a be the first vector of an HKZ-reduced basis of Cj. The calculation 
of this basis takes time 2°^ and by Lemma [TJ the length of its first vector 
(ai, • • • ,ak) is bounded by l k / 2l Af(I)^. By the same argument as in the proof 
of Proposition [lj the algebraic norm of a := JA a iCiv satisfies 

AA(a)< V^dKar,--- ,a k )\\) n < . 


Algorithm 9 One round of the q-descent 

Input: Prime ideal q with log(A/"(q)) < n b , £ > 0, a > 0, and a conductor N. 
Output: Prime ideals pi, integers a and a £ q such that (a)/q = YliPi' an d 
log (A/"(pi)) < n b ~ e . 

1: S t— {pi such that A/”(pi) < 121og(|A|) 2 }. 

2 : while no relation has been found do 

3: ( Xi) [0, A]^, I <— qllipr* where R is the uniform distribution. 

4: Construct a basis for the lattice Ci with k := n mm { 4t *- 1 ’ 6 + 2a - 1 - E b 
5: BKZ-reduce Li with block size l := n a and let a be its first vector. 

6 : if (a) is 2 n -smooth, find (pi),(ei) such that (a) = ]{[, p{h 

7: end while 

8 : return a, ( a ), (pi), (a). 


Proposition 7 (GRH -f- Heuristic [lj) . Let e > 0 be an arbitrarly small con¬ 
stant and let b, c > 0 be constants satisfying 

1. 2 — 3a + 2e < b < 7a — 2. 

& § + f <a<|. 

Let q be a prime with log(A/"(q)) < n b . When N = q s , there is a large enough 
constant A such that Algorithm 0 returns a decomposition of q in C\(Ok) cls a 
product of primes pi with log(A/"(p)) < n b ~ E in time 2 < ~ > ( n + 1 K 

Proof. According to Lemma [2j any a derived in Step 4 of Algorithm [9] satisfies 
log(AT(a)) e O (^SW (i + 0 (i)) + n i og ( g ) j .As fc < n 40 " 1 and l = n a , we get 

— < n 1+Ac - 1 ~ c n 3a . 

Likewise since k = min{n 4a “ 1 , n 6-1-211 ” 1-6 }, we get 

T log(q) < n 1 + b ~ ia + 1 < n 3a 

k 

- log(q) < n l+b-(b+ 2 a-l-e) < n 2 (l-a)+e < „3a 

k 








The latter inequality follows from the fact that by definition a > | + |. In each 
case, log(A/ r (a)) £ 0(n 3a (l + o(l))), and testing the smoothness of Af(a) with 
the Number Field Sieve takes time 2 °( rl “ +oa) ). As k < n 6+2a-1-e , we also have 

< n 1 +b+2a—l—e— a _ n a+b—E 

In addition, we can show that k > n 1 ~ a+£ . Indeed, from the definition of a, b we 
get 

2 £ 

1 — a + £ < 4a — 1 <t=> —I— < a 
5 5 

1 — a ^ b 2a — 1 — £ •w’ 2 — 3a T 2£ £ b 


Therefore, we have the following inequality 

- log(g) < = n “+ b - £ . 

k 

This means that log(A/"(a)) £ 0{n a+b ~ e (1 + o(l))), and from Heuristic [1] the 
number of a we need to test before obtaining one such that (a)// is 2 n e -smooth 
is bounded by 2°( n + \ For correctness, we need to check that we always have 

l < k < n. First, k > n 1-a+£ , and 


1 


— a + £>a<t=>a< — 


£ 

2 


Since a < we must have k > n a = l. On the other hand, we have k = 
min{n 4a_1 , n b+2a ~ 1 ~ 6 }, and 4a — l<l<t=>a<^, which is satisfied by definition 
of a. Therefore, we always have k < n. 


Algorithm 10 q-descent 

Input: I C Ok with JV(I) < 2 n 0 , e > 0 and a such that bo < 7a—2 and | + | < a < 
Output: Prime ideals (q;)i<i £ B with A/"(qi) < 2 n + e , integers (a) and ( <pj)j<k £ 
K such that 7 = ' rii<z C- 

1: genList <— {1}, primeList <— {/}, expList <— {1}. 

2 : b <— bo- 

31 while b > 2 — 3a + 2e do 

4: for q £ primeList with A7(q) > n b ~ s ^ 2 do 

5: Find (qi)i<z, (a)i<i and <j>k such that q = ((/>*,) n,<; by Algorithm|9] 

6 : genList <— genList U {4>k}, primeList <— primeList U {qi,..., q;}. 

7: expList <— expList U {ei, • • • , ei}. 

8 : Remove q from primeList, expList. 

9: end for 

10: b 4— b — e. 

11: end while 

12: return genList, primeList, expList. 






Proposition 8 (GRH + Heuristic[T|). Algorithm^ decomposes I with AT(I) < 

2 n as an 2°( n 3 + -smooth product in Cl (Ok) in time 2°^ n ( ') for arbi¬ 

trarily small e > 0 and 

1.2 — 3 a 4“ 2e b ft 7 a — 2. 



+ f < a < h 
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Resolution step Given an input ideal I of Ok , we use the method of Cramer, 
Ducas, and Wesolowski ('l)Wl(i to compute a an ideal J with A f(J) £ 2 ( '^ nl+ °) 
for some c > 0 such that IJ is principal. Under the heuristic used in [CDW16] 
stating that the class group is generated by the prime ideals above a number 
of primes in 0(log(n)), we have c = 1/2. Given a generator a of IJ, the short 
generator recovery method of Cramer et al. [ CDPR16 ] returns an element [I £ 
IJ C I approximating the shortest vector of I by a factor . Our ideal 

decomposition technique is used twice in this resolution step: 

1. To decompose the class of I as a product of a short basis of generators of 
Cl (O k ) in |CDW16I Alg. 1 Step 1], 

2. To decompose the principal ideal IJ £ I given by [ CDW16 , Alg. 1 Step 1] 
on a short basis of generators of Cl {Ok) and find its generator. 

In both cases, we use the fact that under the GRH, the essential part of the 
HNF of the relation matrix precomputed has less than 12 ln(|ZX|) 2 columns (cor¬ 
responding to the prime ideals of norm less than 12 ln(|Z\|) 2 ). The HNF has the 



where I is an identity block corresponding to the relations 


of the form ~ ]/[. where (— ef) is a row vector of H 2 , A/”(p,;) < 12 ln(|Z\|) 2 
and £ B, A/"( < p) > 121n(|Z\|) 2 . Given a decomposition of an input ideal over 
B, it is straightforward to rewrite all large prime ideals as products of the ideals 
of norm less than 121n(|Z\|) 2 . We describe this procedure in Algorithm fill 


Algorithm 11 Decomposition over a small generating set 

Input: Hermite form H = ^ ^ ) of the matrix of relations between primes of 

B = {p | Af(p) < L/i(a, &)} for some a, b > 0, and input ideal I. 

Output: (a ) such that I ~ npi' f° r the pi such that M{pf) < 121n(|A|) 2 . 

1: Use the q-descent to find I ~ ]~J i qi with qi £ B. 

2 : io <— |£>o|. 

3: for qj with Af(pj) > 121n(|A|) 2 do 

4: Use the corresponding row in H 2 to find q j ~ IIi<i 0 P j Z ■ 

5: Update the decomposition of I. 

6: end for 

7: return (e») where I ~ rii<i 0 P?- 


Algorithm [Til can be used in substitution of Step 1 of CDVV'lfi Alg. 1] which 
starts by decomposing an ideal over the factor base, and then finds a close vector 


















in the relation lattice to the ideal annihilating the input ideal in the class group. 
In |CDW16j . the authors only considered quantum polynomial time methods 
to perform this decomposition. Indeed, the best available classical subexponen¬ 
tial solutions |BiablBF14| (and even the methods described in Section 0 did 
not yield a better trade-off approximation/cost than the BKZ reduction. How¬ 
ever, we can leverage an expensive (but still subexponential) precomputation to 
achieve a better compromise. The call to [ CDW16 i Alg. 1] must be preceded by 
a random walk in the Cayley graph of the class group bringing the input ideal I 
in Cl ~(Ok) = ker {Nk/k+) where Nk/k+ '■ Cl (Ok) —> Cl (O k +). This consists 
of multiplying I by random products of primes of norm in 0(n) until it equals 
an ideal in Cl - (Ok)- The norm of I gets multiplied by a factor in 2°( n \ 

Heuristic 3 When K = Q((n) for a conductor of the form N = p s , the class 
number of the maximal subfield of I\ satisfy h + (K ) £ 0(n ) and the class group 
of Ok is generated by primes above a number polylogarithmic in n of primes, 

Proposition 9 (GRH + Heuristic [XJ) . When using a precomputation corre¬ 
sponding to Algorithmic with smoothness bound B £ 2°( 2 ” 3a+2e ) for a, b, e > 0 
such that 

1. 2 — 3a + 2e < b < 7a — 2, 

2 . 5 + 5 < a < 

the run time of fCDWltf. Alg. 1 Step 1] on the input ideal I satisfying log(A/"(/)) < 
n b is in 2°( n ( '). 


Algorithm 12 q-SVP with precomputation for 7 £ e 0< - v/ ") 

Input: Hermite form H = ( (J) ^ ) of the relation matrix with (at mod p j)i<k,j<i, 
(Log (ai))i<m where m = \B\ for B = (p | jV(p) < Ld(a, 6 )} for some a, b satisfying 
B Hi = (ou)Ok, and input ideal I. 

Output: p £ I with ||/3|| < e° (VT[) JV(I) 1/n . 

1: i 0 •«-dim(Hi). Bo {pi, • • ■ ,pi 0 }- 

2: I <- II' where N(I’) £ 2° (n) and II' £ Cl - (O k). 

3: Decompose I over Bo using Algorithm IIII 

4: Find J such that IJ principal using 1CDW161 Alg. 1). I <— IJ. 

5: Decompose I = (8) ]!;<;„ P(" • n i>io pf* using Algorithm QH 
6 : Deduce (<5' mod pi) and Log)^) such that I = (5')Bf ei ^ + ^-'i fj H i. 

7: y (e<) + f:i H i ■ Solve xH = V- 

8 : Deduce (/3o mod pi) and Log(/3o) such that I = (do). 

9: Use the methods of [CDPR16] to derive ( Xi ) such that do Ili u i' i s a short generator 
of I where the m are the cyclotomic units. 

10: Compute do Eli u i' uiod pj for j < l and reconstruct d = do Ili u i' the Chinese 
Remainder Theorem. 

11 : return d 


















Proposition 10 (GRH + Heuristic Q] + Heuristic [3]) . When using a pre- 
computation corresponding to Algorithm\3\with smoothness bound B £ 2 °G- 3 a+ 2 e) 
for a, b, e > 0 such that 

1. 2-3a + 2e< b< 7a-2, 

2 . 5 + 5 < a < 

on the input ideal I satisfying log(A/"(/)) < n b , the run time of Alaorithm\12\ is 
in 2°( n + and it returns a solution to 7 -SVP for 7 £ 

For example, with c = § and 6=1 + o(l), if an entity spends a precomputa¬ 
tion cost in 2 ^ n5/ + ) for an arbitrarily small e > 0 , then all subsequent instances 
of 7 -SVP in ideals I of Ok satisfying log(A/"(/)) < n 1+ °^ for 7 £ will 

take heuristic time in 2 °( n3/7+o(1) ). In particular, the public keys of the multi¬ 
linear maps of Garg, Gentry and Halevi satisfy the requirement on the norm of 
the input. This means that with a precomputation of cost 2^” 5/ + \ our key re¬ 
covery attack takes heuristic time 2°( n3/ + ( The attack with precomputation 
can have to main scenarios: 

— An entity precomputes the data and the attacker downloads it. In this case 
the storage required is proportional to the expected time of the attack, that 
is 2 °( n °). 

— The attacker is allowed to query the entity having done the precomputation. 
In this case, the entity sends the attacker the significantly smaller matrix 
corresponding to the relations between the short ideals before hand, and for 
each challenge, the attacker asks for the decomposition of the large primes 
in the decomposition of the ideal given as input to the q-descent. 

Remark The precomputation can go on after the computation of the HNF of the 
large relation matrix. The entity performing the precomputation can continue 
creating new relations by performing q-descents on the large primes which are 
not already in the factor basis B. The HNF of the relation matrix can be updated 
at a minimal cost. 
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